CVE-2025-52132

Root

Cause

The Mocca Calendar application for XWiki versions before 2.15 fails to properly escape event titles when rendering the view event page. The vulnerability resides in the MoccaCalendarEventSheet template, where $eventInstance.getTitle() is output without escaping in the view mode branch, as noted in the security advisory [4]. This allows an attacker to inject arbitrary HTML or JavaScript through the event title field.

Exploitation

An authenticated user with permission to create or edit events can set a title containing malicious script code, such as ``. The injected script does not execute within the calendar's main UI (e.g., the day view or navigation tree) but activates once a victim opens the event's dedicated page. The advisory confirms the PoC: creating an event with such a title and then navigating to its page triggers the script before the page fully loads [4]. No special privileges beyond standard event creation are required, widening the attack surface.

Impact

Successful exploitation leads to Cross-Site Scripting (XSS) in the context of the victim's session. An attacker can execute arbitrary JavaScript, potentially stealing session cookies, performing actions on behalf of the user, or defacing the page. The CVSS v3 score of 6.4 (Medium) reflects the need for user interaction (viewing the event page) but the lack of authentication barriers for the attacker beyond basic event creation rights.

Mitigation

The vulnerability is fixed in Mocca Calendar version 2.15. Users should update the extension via the XWiki Extension Manager. As a workaround, the advisory recommends inspecting event titles in the calendar's day view or navigation tree before opening the event page, and deleting any events containing suspicious text [4]. No CVE-specific KEV listing has been published at this time.